​ Netflow - Direction field in argus?

[Sebastian YEPES FERNANDEZ]

 Hello,

We have configured in one of our Cisco Routers the forwarding of Netflow v9
stats
​in ​both ingress and egress modes of one physical interface. we have
verified using tcpdump/Wireshark that the received packets have the
direction field correctly set depending on the traffic. (0 = ingress flow,
1 = egress flow)

 The issue is that once we have collected the Netflow records into the
Argus format we are not able to see the direction of the packets we see
many ? and ?>.

​- Does anyone have experience with this kind of setup?​
​- How can we clearly distinguish between ​ingress and egress flows using
the ra* tools?



​The setup:
 Version: argus-clients-3.0.7.9.tar.gz

# cat /opt/argus/radium.cfg
RADIUM_BIND_IP=10.x.x.x
RADIUM_DAEMON=no
RADIUM_CISCONETFLOW_PORT=9996
RADIUM_ACCESS_PORT=561
RADIUM_MAR_STATUS_INTERVAL=60

# /opt/argus/bin/radium -f /opt/argus/radium.cfg
# /opt/argus/bin/rasplit -S $(hostname) -M time 1d -w
/opt/argus/data/archive/%Y/%m/data.%Y-%m-%d
# /opt/argus/bin/ra -R /opt/argus/data/archive/2013/06 -M rmon -s saddr
sport daddr dport proto trans pkts bytes dir

              Host  Sport            DstAddr  Dport  Proto  Trans  TotPkts
  TotBytes   Dir
         10.x.x.x.snmp          10.y.y.y.19940     udp      1        2
   440    ->
     10.x.x.x.19940            10.y.y.y.snmp      udp      1        2
 440   <-
   10.y.y.y.4816           10.x.x.x.http      tcp      1        2
 198    ?>
 10.x.x.x.http       10.y.y.y.y      tcp      1        2        198   <?
 10.x.x.x.http       10.y.y.y.y      tcp      1        2        20   ?
 …
 …


​Thanks in advance for any help.​


B
​est regards,
Sebastian​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130613/be002274/attachment.html>